Apparently, the exploit involves using a modified URL and then supplying the correct date of birth as the answer to a security question, at which point the password can be easily reset. A step-by-step guide to abusing the exploit is said to be out there somewhere, but The Verge has declined to link to it citing security reasons. The exploit only affects users who haven't already enabled two-step verification on their accounts.

Given the relative secrecy of the method, we haven't been able to verify the exploit first hand, but you should go enable two-step verification anyway—exploit or not—just as a matter of general security. Some users are reporting up to a three-day wait to enable verification, and during this wait, accounts are reported to be vulnerable to the exploit. So if you really, really want to be careful, the best bet is to go and change your birthday to one of your many unbirthdays. You can do that from your Account Settings, at the bottom of the page for "Password and Security." [The Verge]

Update: The password reset tool is now down for maintenance, so we can only assume any holes are currently being patched up.